"Paul Lathrop" writes:
>> Unfortunately, this leaves the seed file, required only for the command
>> to run, lying around on disk. Now, I can protect the file with mode
>> 0400, or I can tidy it with a dependency on the exec command, but what
>> I really want is something like "refreshonly" for files; only copy the
>> file over if something is being evaluated that explicitly requires it.
Note that I haven't actually tried the "tidy" approach, and it may meet
my needs. Just before we go further. I only thought of it as I was
writing my previous email.
>I'm not sure you understand that I'm not arguing *against* 'onlyif' as
>a metaparameter. I'm focusing on how to do what you want, now, with
>Puppet as it is today. I do think it is slightly odd the way people
>choose to model things, but flexibility is one of Puppet's strong
>points.
:) Yes, understood.
>Why not wrap the process of fetching the seed file, generating the
>"password alias", and then securely deleting the seed file into a
>script, which you would then put in your exec with an appropriate
>'onlyif'?
That's an excellent question.
I think the reason I don't want to do that is twofold:
1. That Puppet gives me idempotency for free; if my script gets
interrupted in the middle, I have to have recovery logic (not
complicated in this case, admittedly, but I believe still obscures
what I'm trying to do for maintenance coders, and sets a "bad"
precedent). There's a natural barrier to going "outside" the tool,
if you like.
2. Puppet has secure file transfer, and setting up a secure rsync
between puppet server and client hasn't been required so far.
This objection could be easily overcome if there was a way of
accessing Puppet file transfer from "outside" Puppet. Is there?
For another example of where this pattern of behaviour
(dealing with small files containing sensitive data, where
you don't want to inline the data into your manifest), see
http://reductivelabs.com/trac/puppet/wiki/Recipes/FirmwarePassword.
-- michael.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
